josh/BarangaySystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bee4a1f5ab4b8a0060e9afb626209c302c4eeca8
BarangaySystem/docs/completed/chklist-20260403024500.md
Jonathan Sykes eb4a5731fb initial: bootstrap from BukidBountyApp base
2026-06-06 18:43:00 +08:00

2.6 KiB
Raw Blame History

Checklist: POS Access Control & Login Hardening

1. User Type Check & Parent Role Configuration

  • app/Http/Controllers/Helpers/Permissions/UserPermissions.php: Ensure POS_TERMINAL role has:
    • ViewPosReports
    • ViewCustomers
    • ViewUserInfo (For customer lookup)
    • ManageUserInfo (For customer lookup)
    • ViewShipments (Optional? User didn't specify, but often needed).
  • app/Http/Controllers/Helpers/Permissions/UserPermissions.php: Verify that STORE_MANAGER is the only parent role for POS_TERMINAL.
  • app/Http/Controllers/Helpers/Permissions/UserTypeService.php: Ensure STORE_MANAGER (and above) can create POS_TERMINAL users.

2. Store-Level Authorization Helper

  • Create a helper to verify if a user is allowed to access a specific store's POS/Reports.
  • Implementation: 
    public static function isUserAllowedAccessToStore($user, $storeId): bool
{
    if ($user->acct_type === UserTypes::ULTIMATE) return true;

    $store = Store::find($storeId);
    if (!$store) return false;

    // Check if user owns or manages the store
    if ($user->id === $store->owner_id || $user->id === $store->manager_id) return true;

    // Check if user's parent is the owner/manager (for POS_TERMINAL/RIDER)
    if ($user->parentuid === $store->owner_id || $user->parentuid === $store->manager_id) return true;

    // check if user is an ancestor of the owner/manager
    if (self::isAncestorOf($user, $store->owner) || self::isAncestorOf($user, $store->manager)) return true;

    return false;
}

3. Controller Hardening

  • app/Http/Controllers/Market/PosController.php: Apply isUserAllowedAccessToStore in startSession using store_hash.
  • app/Http/Controllers/Market/PosController.php: Apply isUserAllowedAccessToStore in getSession when looking up a store session.
  • app/Http/Controllers/Market/PosController.php: Apply isUserAllowedAccessToStore in getTodayStats.
  • app/Http/Controllers/Market/PosController.php: Apply isUserAllowedAccessToStore in getPosSessions.
  • app/Http/Controllers/Market/PosController.php: Apply isUserAllowedAccessToStore in getCustomers.

4. Testing & Validation

  • Create tests/Feature/PosAccessTest.php:
    • Test POS_TERMINAL login.
    • Test access to authorized store (Success).
    • Test access to unauthorized store (Fail - 401/403).
    • Test access to manager-only pages (Fail - 302).
  • Run the tests and ensure 100% success.
  • Perform a final sanity check on the UI (PosMain.vue) to ensure no broken links.